Litigators and in-house counsel: get to know CFAA civil actions, Part 1

Protecting a client's digital fortress has never been more difficult. "Content scraping," the process of caching massive quantities of webpages and images to effectively "copy" an entire website, provides a unique and immediate threat to Internet and technology companies. But protecting against such scraping is a difficult proposition, especially in the absence of a contractual provision prohibiting scraping. Without a contract, the most effective legal protections against scraping exist in the federal Computer Fraud and Abuse Act, or CFAA, and its California analogue, the Computer Data Access and Fraud Act (California Penal Code Section 502).

Internet-based companies can find themselves on both sides of a CFAA case involving scraping. In most cases, an Internet-based company is a civil plaintiff suing a defendant for unauthorized scraping from the plaintiff's webpages. Less frequent is for a technology company to be named as a defendant, but such cases exist, for example, in the class action setting. In In re iPhone Application Litigation, 844 F. Supp. 2d 1040 (N.D. Cal 2012), the plaintiff class of iPhone users attempted to bring a CFAA civil action against Apple for allegedly accessing their devices without authorization to collect geolocation data. Although the court rejected the plaintiffs' theory, finding that their voluntary installation of the software that collected the geolocation data diffused any possible CFAA claim, technology and Internet companies must consider the CFAA as both a sword and a shield.

The legislative history of the CFAA and Section 502 is illustrative. Congress passed the CFAA in 1986 to criminalize and counteract computer fraud, especially acts directed at government computers. In 1994 Congress expanded the act to permit private civil actions. The CFAA permits civil recovery where a plaintiff can show that a defendant: "(1) intentionally accessed a computer, (2) without authorization or exceeding authorized access, and that [the defendant] (3) thereby obtained information (4) from any protected computer ... and that (5) there was loss to one or more persons during any one-year period aggregating at least $5,000 in value." LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1132 (9th Cir. 2009).

The CFAA provides two key advantages that practitioners should note. First, the CFAA presents federal question jurisdiction. Thus a litigant with an accompanying California cause of action (e.g., breach of contract, trade secret theft, or other business tort) can sue in federal court, and ask the court to exercise supplemental jurisdiction of the state law claims. Second, the CFAA provides for the recovery of attorney fees. See, e.g., NCMIC Finance Corp. v. Artino, 628 F. Supp. 2d 1042 (S.D. Iowa 2009).

California followed suit with its own companion version of the CFAA in 1987 to expand the "degree of protection afforded to individuals, businesses, and governmental agencies from tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems." 1987 Cal. Legis. Serv. 1499 (West). The language of Section 502 closely follows that of the CFAA and also permits private civil recovery; however, Section 502 has the notable exception of requiring no minimum harm value before allowing recovery. As a result of this key difference, Section 502 provides a lower barrier to recovery for civil clients. Additionally, Section 502(e)(2) specifically permits a court to award reasonable attorney fees. Litigators should thus pair a Section 502 cause of action with any CFAA claim because of this lower bar to recovery and easier route to obtain attorney fees.

The application of the CFAA and Section 502 in the 9th U.S. Circuit Court of Appeals has been controversial. Until recently, district courts in the Northern District of California were split as to whether a plaintiff's violation of a website's terms of service (TOS) exceeds "authorized access" in violation of the CFAA. For instance, in eBay Inc. v. Digital Point Solutions, Inc., 608 F. Supp. 2d 1156 (N.D. Cal. 2009), the court held that defendant's access of eBay's website with intent to defraud eBay violated eBay's TOS. The defendant had placed software code on web users' computers that prompted eBay's site to incorrectly credit the defendant for advertising fees even though the users had not been directed by a legitimate advertisement. The court found that this conduct violated eBay's TOS by accessing eBay's computers solely to defraud eBay and corrupt advertising data. The court stated: "[a]llegations with respect to access and use beyond those set forth in a user agreement constitute unauthorized use under the CFAA."

On the other hand, in Facebook v. Power Ventures, 844 F. Supp. 2d 1025 (N.D. Cal. 2012), the court held that merely violating a TOS was not enough to constitute "exceeding authorized access" under the CFAA, and instead required circumvention of technical barriers to constitute such unauthorized access. The defendant had used code that utilized a number of routines to avoid being blocked. The court found that defendants had in fact circumvented Facebook's technical barriers to gain access through these routines and thus "exceed[ed] authorized access" by accessing the site without permission.

The eBay and Facebook holdings left uncertain the viability of CFAA claims for violations of a webpage's TOS. While the eBay court held that a TOS violation with intent to defraud meets the CFAA standard for liability, the Facebook court held that a TOS violation, standing alone, does not violate the CFAA. Instead, the Facebook court required something more; namely, the circumvention of technological barriers. The 9th Circuit attempted to address this disconnect earlier this year.

In April 2012, the 9th Circuit, sitting en banc, offered a strict rule concerning the application of the CFAA in United States v. Nosal, 676 F.3d 854 (9th Cir. 2012). Litigators - especially those working with web-based companies - and in-house counsel at such companies should be aware of Nosal and its progeny. With a working knowledge of these cases, both outside and inside counsel will better understand CFAA claims and how such claims integrate with other possible claims associated with content scraping.